So, I am working in a company where we are re-vamping the entire concept of how we do security, to include a centralized SOC/CERT at the company HQ-level, who are responsible for bringing logging in from ALL of our divisions and subsidiaries; translating those events into a common operational picture of the current state of alerts and events across the company; and investigating alerts and events that would indicate a security incident.
We are going all-in on establishing a data lake where these events would be coming in, stored and analyzed. Still not sure about using Sentinel or going another route. My question to the team here...is there a definitive document or documents from MS that says, "these are the minimum logs you would want/need" for effective monitoring of a hybrid, on-prem, multi-cloud provider environment?
A centralized, best practices documents or series of would be ideal!